Cisco :: ACS 5.1 / Using Local Users As Fallback For AD
Aug 17, 2011
I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies
ADVERTISEMENT
Feb 9, 2010
I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.
Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.
View 4 Replies
View Related
Jul 10, 2011
We are required to change passwords every so often at my job. I am trying to change the password for one of the local user accounts on a 5508 WLC running 7.0.98.218 - How can I accomplish this task? The option I get is to remove the users.
View 1 Replies
View Related
Jul 16, 2012
I am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked.Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
View 3 Replies
View Related
Aug 24, 2011
I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies
View Related
Jan 25, 2012
Since the number of computers are expanding at my home, I want to reduce Wireless Connectivity and increase Ethernet connection between computers. I will be running a Server that supports 10 TB Storage.Will a Custom PC be better or should I use a NAS connected to a web server?
I currently use a Linksys WRT160n router that supports only 4 ethernet connections.Now I need at least 40 Ethernet connections. Will a Switch do? Also I will be running Asterisk to support Telephones.
My web server will not function globally. Only in LAN.And also, the web server will have a 250gb Wikipedia Dump that will deploy 10 times; and also a lot of video from KhanAcademy for knowledge base.I am looking for something powerful which will be quiet and have less downtime.I have checked out Newegg, eRacks, and many other websites. But I am confused with what to consider buying.
A Local Web Server or a custom built PC for 10tb hard drive suppoty.Router that can provide wired connection to about 40 users.A Terminal so I can monitor the bandwidth usage.
View 19 Replies
View Related
May 29, 2012
Is it possible to assign IP addresses to remote site WIFI users from local DHCP server and forward all other traffic to 2504 WLC?
[WIFI Users] >--------<AP (DHCP server) >------ VPN ---------< WLC
View 1 Replies
View Related
Sep 6, 2011
I have a Cisco 886G i have configured a fallback mechanism. i did this with a sla track. You can see this in the config below. Bij the problem is that i can't get internet to work when connection is in fail over state. it fails over to Cllular0 and i can ping from router to the internet. that works fine but when i want to use the internet from one of the pc's is doesn't work. i traced it to nat. there seems to be that only one ip nat inside source .... when i change this one from dialer0 to cellular0 i have internet on the computers.how can i configure multiple ip nat inside source... rules or is there an other way to accomplished this?
View 1 Replies
View Related
May 19, 2013
we are testing WLC v7.4 in our lab. The AP joins fine but when we try to move it to another WLC running 7.2 (simulating a fall-back plan if there are issues with the 7.4 code), it fails saying image not found.
View 4 Replies
View Related
Apr 12, 2012
I have an issue with AP Fallback not working with two Cisco 4402-50 WLC's. Here is the senerio:
Site 1 has a 4402 (WLC01) running software 7.0.220.0 with 48 associated access points. AP Fallback is enabled in Controller > General and all 48 AP's are set to Critical failover with WLC01 being the primary controller and WLC02 (at site 2) being the secondary.
Site 2 is the location of WLC02 which is also running software 7.0.220.0 but has 0 ap's associated and also had AP Fallback set to enabled.
Your typical active/passive setup
The problem is when WLC01 goes down all of the AP's fail over to WLC02, however when the connection is restored to WLC01 we have to manually reboot each access point in order for them to reassociate back to the primary controller. Isn't AP Fallback enabled suppose to allow the AP's to move back to the primary controller once connection is reestablished?
View 15 Replies
View Related
Oct 26, 2011
We have both ADSL2+ and Cable broadband and wish to have them both connected to and accessible on the same network, possibly linked by using the WiFi modem-routers or by adding redundant WiFi modem-routers in bridge mode.The object is to have a seamless each-way fall-back as both broadband feeds have been unreliable in the past, sometimes for weeks at a time and this has had a destructive influence on concurrent college, uni courses and various pocket-money commercial interests.The current situation is to have two separate wired networks running at 100/1000 with limited WiFi access for laptops and mobile device access.All clients would effectively be part of the same workgroup but with a possible future dmz to a small dynamic dns server for non-business convenience and test use. (HTML, PHP, MySQL website development exercises etc.)At present, there are no significant internal security issues within the firewalls provided by the existing modem-routers and there is no significant budget.
View 2 Replies
View Related
Feb 14, 2013
I'm deploying a Cisco Mesh infrastructure using WLC 7.2 version and 1552 APs.
This Mesh APs will be connected in the Light Pole and the RAP will be connected to the SP Switch located in this same Pole.
The MAP will be powered using Pole source power and will be connected to the RAP over 5.8 Bach haul.
My Customer asks if is possible that in case of SP Switch lost the connectivity to the Backbone IP, the RAP can connected to another RAP and maintain the connectivity to the Backbone over the Air, like REPEATER FALLBACK mode in Autonomous version.
For that I thinking to change the role of the RAP APs to "MAP with UTP Cable", but I'm not sure that a MAP AP with CAPWAP tunnel over UTP Cable can provide a Down link Backhand to another MAPs. That is possible?
View 3 Replies
View Related
Apr 22, 2012
i'm trying to setup a local DNS server to manage small office local-only domain names for our servers. i have the DNS working properly (resolving local machines and using the ISP dns if it can't). so i put the DNS server ip into the "Static DNS 1" field of the router settings. the other 2 static dns fields are empty.the problem is that the router is still using the ISP dns server as the primary and my local dns server as the secondary. i verify this in two places. first, if i go to the "status" tab, DNS 1 shows the ISP server while DNS 2 shows my local DNS server. secondly, if i connect to the wireless device with a linux-based machine, the /etc/resolv.conf file shows the nameserver ips in the same incorrect order.
View 1 Replies
View Related
Mar 3, 2011
I have a user ABC(Admin Account) and XYZ(limited user). For both of them i would like to have two different ip configuration. If ABC(Admin Account) logins he should have ip, gateway and dns1, dns2 and dns3. If XYZ(limited user) logins he should have ip, gateway and dns1 only.Is it possible to have above configuraions.
View 4 Replies
View Related
Feb 27, 2013
I have Synology DS213 directly connected to a SMC Comcast business cable modem. The IP address of the DS213 is 5.4.3.x. The cable modem is pushing out IP Address in the same range 5.4.3.x. The cable modem connects to a wireless router and switch. The users who use wireless and wired connections have a public IP Address 192.168.x.x
View 5 Replies
View Related
Jan 8, 2013
what would be the best method to limit some users/workstations from accesing the internet on a vlan that has access to the internet?
I was thinking of just creating a whole new VLAN for those few workstations that doesnt access the internet or using ACLs on the ASA.
View 2 Replies
View Related
Jun 28, 2012
I know to add a user in the service engine is (config)#user Aileen create but how would you remove it. I tried no before user to negate the command but i do #sh users and the username is still listed.
View 1 Replies
View Related
May 6, 2010
I'm using a Cisco ASA 5520 with IOS 8.2.2. We have many remote users using the Cisco VPN client, but I have been asked can we logout idle users as we do hit our license limit and some users stay conenct for days.
View 3 Replies
View Related
Mar 4, 2012
I've just set up dialin VPN on my PIX 515e. The users can connect fine but my split tunnel ACL is not applied and I have the following error in syslog No translation group found for udp src outside:10.0.56.2/137 dst inside_lan:10.0.8.6/137 If i try to ping my inside interface from the client, i get a reply from the outside interface IP address. Do I need a specific NAT rule for my VPN client users?
View 2 Replies
View Related
Oct 2, 2012
i installed the Cisco Prime LMS widget and see there is a choice to search by username and hostname and phonenumber (for IP phones?) how can this be set up?
View 1 Replies
View Related
Jun 24, 2012
Is it possible to export internal ACS users from an ACS 4.x Windows (On ESXi), solution to an ACS 5.x solution. All I want to be able to do is export usernames and passwords out of the 4.x solution and then import them into the 5.x solution. I thought maybe the CSUtil program be used ?
View 3 Replies
View Related
Sep 12, 2011
We need SQL-Connect to DB-Tables, as some "self-written" perl-scripts try to collect data.Are there any steps necessary to enable access to DB-Tables (and Views) ?
View 1 Replies
View Related
Jul 12, 2012
how to Configure ACS 5.x so LMS 4 users can authenticate via TACACS+? I have ACS 5.x setup and authenticating to Active Directory. Have changed the LMS 4.x Authentication Module to TACACS+. Have gotten past the user / password problem by configuring a local user in LMS 4.x. Now, am hitting the Default rule in ACS and Shell Profile is deny access..
View 1 Replies
View Related
Feb 14, 2012
I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server
View 25 Replies
View Related
Aug 14, 2011
I have set this up on pre 8.3 code and 8.3 code as well. I have the following configured on the ASA, but it is not working and I am not seeing the ASA trying to NAT the VPN pool IP address that the client gets assigned.
object network VPNPool
subnet 192.168.70.0 255.255.255.0
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
View 3 Replies
View Related
Oct 19, 2012
i have 2 ISP, each ISP is 20Mbps internet speed.. and i connect this 2 ISP to mikrotik router,so this network will have 20Mbps + 20Mbps line and this network have 150 users..any idea how to set the QoS? i don't want the user using p2p application will use the Full bandwidth then affect the others user become slow browsing and i want reserve some bandwidth for some user for gaming.
View 3 Replies
View Related
Mar 18, 2011
I have a customer with an ASA5510. We have an SSL VPN (tunnel-based, or "SVC") that we use for remote access. That works great.They want to be able to use this same functionality, but add users who will not have the full access that the current SSL VPN users have. So in other words we currently have a small group of users who get full access to the LAN. Then they want to have a second group of users who will only have access to certain nodes.I'm wondering if there's some way to do this using LDAP between the firewall and the Radius server? The user gets put in a different tunnel group depending on what the FW learns from the server?We only have the Anyconnect Essentials license, so unfortunately we can't do a clientless SSL VPN, which otherwise might work well here.
View 3 Replies
View Related
Oct 5, 2012
I set up a cisco 2811 to replace a netgear router at the office. I have nat set up and with ccp I added a firewall on the router using the basic firewall wizard. Just about everything works internet, receiving and sending emails on exchange from the pc. Issue I'm having noone can access the company email on their phone.Also theres a camera system that would be accessible to view from the live feed from outside the office and my boss can't access the camera. I port mapped all the custom applications and added new traffic rule from self -> outzone. It didn't work tried to add one from outzone -> self or inzone but i get a prompt stating it only accepts protocols tcp,udp, sip, h323, icmp and a few other I can't think of. I'm pulling out my hair trying to get this to work everything worked seamlessly on the netgear router and nothing was really defined just the inbound ip address of the applications and protocols that are allowed.
Lets say for reference purposes my ip addresses for internet is
internet
55.34.23.43 /24
email server
192.168.10.252 /24
web cam application
192.168.10.10 /24
8000 in
8001 out
View 1 Replies
View Related
Apr 20, 2012
I have 10 user license for Cisco ASA, i have to use this ASA for client connectivity. Can i do NAT of more than 10 users with this license? What i understand is NO.
But as per Below explaination looks like, i can if i am not doing default routing? Actually i just need to add a specific Route towards client DMZ interface on my ASA, no default route, so can i use more than 10 concurrent sessions with this license?
View 5 Replies
View Related
Feb 9, 2012
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
View 3 Replies
View Related
Apr 7, 2013
A client of ours has an 881-K9 router that they have configured a VPN on, this was setup and configured prior to my joining the company. This client now needs to add more usernames to the VPN on the router side, and I've both searched here, and googled for how to add users to the VPN on the router, the only thing that comes up is adding clients (from the client end PC), and nothing to show how to create the users on the CLI from ssh on the router itself.
View 1 Replies
View Related
Jul 16, 2012
We have a Cisco SA540. It has been an extremely reliable UTM router. Other than SSL VPN not working for Mac OSX, we are very pleased with the unit.We have a 3 year contract for IPS, a 3 year contract for Trend Micro Protectlink Web, and a 3 year contract for Small Business Support Service for the unit.Right now we are trying to setup the VIP functionality but it is not going very well. To sum it up in a few words, we cannot get the SA540 to prompt the SSL VPN users to enter the 6-digit access code.
We setup an account at Verisign and requested a trial for VIP. They promptly setup the trial account. Getting everything setup was a breeze. The Verisign website is very well documented. They even had specific instructions for Cisco SA500 Series routers!!! We were very impressed with Verisign's implemenation. We are able to get our SA540 to talk to Verisign (basically, when we activate or deactivate an SSL VPN VIP user in the SA540 web GUI, you can immediately see it enabling or disabling the user on the Verisign website... it is very cool).Unfortunately no matter what we do, we cannot get the SA540 to prompt the SSL VPN user to enter the one time 6-digit code. In this case, we are using Verisign's iPhone app called 'VIP Access'.
I called into the SBSC and talked to a guy. I felt really bad for him. He used WebEx to log into my desktop and I showed, and explained, to him how all of it worked (setting up VIP in the SA540 web GUI, as well as, and the Verisign website). He had no clue about Verisign, VIP, or the two-factor authentacation concept at all. I told him that he needed to escalate my case to the SA500 Series team, but of course he had to try. He was supposed to call me back yesterday or today. I am sure he is dreading calling me back as he probably still has no clue.
How to use the VIP functionality? Or how it works and set it up? We would like to at least get it to work before our 30-day trial period is up. I have a distinct feeling that the functionality used to work, but Cisco hasn't kept up the firmware with all the latest back-end API calls to Verisign or something similar.
View 4 Replies
View Related
Apr 16, 2013
This is a feature that I have researched for by looking at ISRs G2 data sheets and cisco.com website.The number of users that can be supported or the recommended number of users per router chassis/model is not mentioned anywhere.However this is mentioned in the Cisco 880 ISR data sheet. What are the number of users that can be supported or the recommended number of users on Cisco 1900/2900/3900 ISRs?
View 4 Replies
View Related
